jderosa

Hi, thanks for the help!

Our product is custom, created by another plugin to sell class spots.

You say that BOGO only works with Simple and Variable by default, is there a way to make it work with other product types?

Ok. I wish you would take the time to understand my question, and the difference between how other types of attacks are handled versus these more dangerous attacks.

I think you might find that it would make the product better if it did block the IP automatically, especially since most of these real active attacks are people, not bots.

But, if this is how you think it “should” work, thanks for the help.

On another note, I suggest you go back and look at how long this has been going on prior to you deciding that I’m just dumb. I can’t imagine that over 3 months to get to the bottom of a problem and determine that it’s closed (whether the user agrees or not) is your goal.

Thanks again,
Jim

I understand. But why does it automatically block the IP for other types of attacks, but not these, which are arguably more dangerous?

Can someone please respond?

I suppose it is possible that I’m misunderstanding what “Blocking” should do. Let me explain what I’m seeing, then you tell me how I’m missing anything.

It seems like you’re misunderstanding my concern, not the other way around.

Scenario 1: (see screenshot here)

• Attacker goes to site https://www.xxx.com/xmlrpc.php
• Attacker is blocked from executing the action
• Attacker IP is also blocked for period of time
• Admin has option to unblock, obviously indicating that the IP is blocked

Scenario 2: (see screenshot here)

• Attacker executes more advanced attack listed as against the rules
• Attacker is blocked from executing the action
• Attacker IP is not blocked and can try again with other vectors of attack
• Admin has option to block IP, indicating that the IP is not currently blocked and requires manual intervention to block

As you can imagine, in the 2nd scenario, if the attacker is particularly good, they now have more opportunities to attack the site, possibly with an attack that WPFence is not aware of and cannot defend against.

Does it seem like I’m understanding what’s happening? Does it seem like what’s happening is correct?

Please advise.

Guys. This is getting comically silly. Can I get someone to stick with me until my problem is solved?

Hello? I have sent the information you’ve requested. Do you need additional information, or can you assist?

It’s been a bit of time since I responded…

Thanks for the followup. This is how most of the actual “attacks” appear in my log. It appears that rather than blocking the IP immediately after a rule break, they are able to continue trying multiple vectors of attack.

This happens with all IPs.

Other, more simple things such as accessing a banned URL appear to block correctly and do not allow followup attempts.

Here is the most recent one: https://www.dropbox.com/s/32bql9gnqof1oke/Capture2.jpg?dl=0

Thanks,
Jim

Hi. Can I get some followup on this issue, please?

Hi. Have you had a chance to look at this yet?

I have no whitelisted IP addresses.

This is how the Live Traffic screen looked immediately afterwards. I have since manually blocked the IP permanently. But, it appears that the attack was blocked, but the address was not, as there are pages of different attacks continuing from the same IP.

I would assume that after the first attempt, the IP would be blocked and would not be able to attempt any further antics.

screenshot: https://www.dropbox.com/s/ws1xe4fa92fq5ad/Capture1.jpg?dl=0

Thanks for the help.

Hello, Dave,

Sorry to be a pest, but any suggestions? I’m concerned that I have something misconfigured, but it seems that this is just how it works.

My Brazilian Friend

Hi again,

Any suggestions? Same user appears to be still able to attack repeatedly. 12 times within the last hour, even though my How long is an IP address blocked when it breaks a rule is set to 1 day.

/xmlrpc.php

It appears to be working. I get an entry that says that the user was blocked for having accessed a forbidden URL, but then lets them do it again 2 minutes later.